CVE-2016-4879: CSRF in baserCMS 3.0.10 and earlier
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.31996%
CWE
Published
5/13/2022
Updated
7/7/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
baserproject/basercms | composer | <= 3.0.10 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability specifically affects the Mail plugin's administrative interface. CSRF vulnerabilities typically manifest in state-changing controller actions that lack anti-CSRF token validation. While exact code isn't available, the pattern matches: 1) Administrative endpoints are high-value CSRF targets 2) The Mail plugin's admin functions would handle sensitive operations 3) MVC frameworks like CakePHP (which baserCMS uses) require explicit CSRF protection 4) The CWE-352 classification confirms this is a missing request validation issue. The 'admin_*' convention is common in CakePHP controllers for administrative endpoints.